From c243ae4ebf52a833ebe04d71001d8bad4fa93f72 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 07:16:27 +0100 Subject: [PATCH] LDAP auth: require exactly one result when searching for the LDAP user DN This makes sure not fail securely when the query returns multiple entries - correct grammar in some cases - we're doing _authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version - align formatting & messages better between _login2() and _login3() --- radicale/auth/ldap.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 4833d18d..4f80a362 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -118,8 +118,9 @@ class Auth(auth.BaseAuth): filterstr=self._ldap_filter.format(login), attrlist=['memberOf'] ) - if len(res) == 0: - """User could not be found""" + if len(res) != 1: + """User could not be found unambiguously""" + logger.debug(f"_login2 no unique DN found for '{login}'") return "" user_entry = res[0] user_dn = user_entry[0] @@ -181,9 +182,9 @@ class Auth(auth.BaseAuth): search_scope=self.ldap3.SUBTREE, attributes=['memberOf'] ) - if len(conn.entries) == 0: - """User could not be found""" - logger.debug(f"_login3 user '{login}' cannot be found") + if len(conn.entries) != 1: + """User could not be found unambiguously""" + logger.debug(f"_login3 no unique DN found for '{login}'") return "" user_entry = conn.response[0]